Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nightmare


  • This topic is locked This topic is locked
5 replies to this topic

#1 ratchet117

ratchet117

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 26 April 2017 - 05:33 PM

Hello guys

 

My PC is infected with something. The symptoms appeared during this month, where my browsers settings got modified. I ran my anti-virus (McAfee premium) plus a malware program (Zemana antimalware). they detected browser hijackers and trojan and cleared everything.

 

A fews days later it happened again and i didn't download anything. so i thought that there were extra programs so i download Adwcleaner. It detected a few more problems and corrected then.

 

And yet again a few days later the modifications happened again. Ran all the programs and noticed that a specific file located in the temporary files was causing issues. Even when deleted it would appear a few hours later. But as long as i always deleted it every time it appeared my pc was ok.

 

Days have passed with me constantly checking that folder. After a lot of google search i saw that a program called Malwarebytes could solve the issue. And it did.

But then Malwarebytes warned me about three programs that wanted to access the web and that it blocked.

 

- MyComGames.exe - origin is a game called armored warfare

- mcsvhost.exe - used by my anti-virus

- msiexec.exe - windows installer

 

As soon as i saw the last one this i knew it was the problem. It tries to connect to cloudfront

The other two seem to not be problematic (added exclusion for then ad didn´t had any problems)

 

This problem was posted quite recently on the following link

 

https://www.bleepingcomputer.com/forums/t/645123/how-to-remove-msiexec-d2buh1bf1g584wcloudfrontnet-and-adwareelex/

 

Since it was locked i had to make a new post.

 

Is the solution presented in that post compatible with my problem?

If not can you guys help me?

The problem is contained as long as Malwarebytes is working bu i also found out that sometimes it just stops working, leaving me at risk.

I will post in the attachment of the Farbar Recovery Scan Tools

I will also post the report from Malwarebytes

 

Sorry for any gramatical mistakes. English is not my native language

Attached Files


Edited by ratchet117, 26 April 2017 - 05:36 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:02 AM

Posted 27 April 2017 - 08:18 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04262017230017029\...\Run: [] => [X]
HKU\S-1-5-21-341341662-432671732-3275167574-1001\...\Policies\Explorer: []
HKU\S-1-5-21-341341662-432671732-3275167574-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04262017230022483\...\Policies\Explorer: []
HKU\S-1-5-18\...\Run: [] => [X]
ShellExecuteHooks: No Name - {ABBA5ED4-039F-11E7-88BA-64006A5CFC23} - C:\Users\ratch\AppData\Roaming\Atedegedraloing\Miuphphamos.dll -> No File
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [No File]
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [No File]
CHR Extension: (Pagamentos via Chrome Web Store) - C:\Users\ratch\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-04-23]
CHR Extension: (Chrome Media Router) - C:\Users\ratch\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-04-26]
S2 NVIDIA Wireless Controller Service; "C:\Program Files\NVIDIA Corporation\GeForce Experience Service\nvwirelesscontroller.exe" [X]
S3 dbx; system32\DRIVERS\dbx.sys [X]
Task: {48833BEA-C2AD-4D27-8AC8-45415F73C099} - System32\Tasks\Plerntain Collector => C:\Program Files (x86)\Qivethercoqerly\xmabgh.exe	
Task: {87B1EF58-EBFE-43D0-890D-5BB1903F0141} - \Colucult -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\.rdata:X [526]
C:\Program Files (x86)\Qivethercoqerly

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

If the problem continues with Edge clear these.
Microsoft Edge: How to Clear Browser History and Cache
http://acer--uk.custhelp.com/app/answers/detail/a_id/38047/~/microsoft-edge%3A-how-to-clear-browser-history-and-cache

Please let me know what problem persists with this computer.

#3 ratchet117

ratchet117
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 27 April 2017 - 08:58 AM

Here is the log file after the fix. I can't place it on an attachment (there is no option for that) so i'm gona copy the content of the file

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Fix result of Farbar Recovery Scan Tool (x64) Version: 27-04-2017
Ran by ratch (27-04-2017 14:38:32) Run:1
Running from C:\Users\ratch\Downloads
Loaded Profiles: ratch &  (Available Profiles: ratch)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04262017230017029\...\Run: [] => [X]
HKU\S-1-5-21-341341662-432671732-3275167574-1001\...\Policies\Explorer: []
HKU\S-1-5-21-341341662-432671732-3275167574-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04262017230022483\...\Policies\Explorer: []
HKU\S-1-5-18\...\Run: [] => [X]
ShellExecuteHooks: No Name - {ABBA5ED4-039F-11E7-88BA-64006A5CFC23} - C:\Users\ratch\AppData\Roaming\Atedegedraloing\Miuphphamos.dll -> No File
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [No File]
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [No File]
CHR Extension: (Pagamentos via Chrome Web Store) - C:\Users\ratch\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-04-23]
CHR Extension: (Chrome Media Router) - C:\Users\ratch\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-04-26]
S2 NVIDIA Wireless Controller Service; "C:\Program Files\NVIDIA Corporation\GeForce Experience Service\nvwirelesscontroller.exe" [X]
S3 dbx; system32\DRIVERS\dbx.sys [X]
Task: {48833BEA-C2AD-4D27-8AC8-45415F73C099} - System32\Tasks\Plerntain Collector => C:\Program Files (x86)\Qivethercoqerly\xmabgh.exe    
Task: {87B1EF58-EBFE-43D0-890D-5BB1903F0141} - \Colucult -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\.rdata:X [526]
C:\Program Files (x86)\Qivethercoqerly

Reboot:

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04262017230017029\...\Run: [] => [X] => Error: No automatic fix found for this entry.
HKU\S-1-5-21-341341662-432671732-3275167574-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\ => value removed successfully
HKU\S-1-5-21-341341662-432671732-3275167574-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04262017230022483\...\Policies\Explorer: [] => Error: No automatic fix found for this entry.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{ABBA5ED4-039F-11E7-88BA-64006A5CFC23} => value removed successfully
HKCR\CLSID\{ABBA5ED4-039F-11E7-88BA-64006A5CFC23} => key not found.
HKLM\Software\Wow6432Node\MozillaPlugins\@foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xdp => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xfdf => key removed successfully
C:\Users\ratch\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\ratch\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HKLM\System\CurrentControlSet\Services\NVIDIA Wireless Controller Service => key removed successfully
NVIDIA Wireless Controller Service => service removed successfully
HKLM\System\CurrentControlSet\Services\dbx => key removed successfully
dbx => service removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{48833BEA-C2AD-4D27-8AC8-45415F73C099} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{48833BEA-C2AD-4D27-8AC8-45415F73C099} => key removed successfully
C:\WINDOWS\System32\Tasks\Plerntain Collector => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Plerntain Collector => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{87B1EF58-EBFE-43D0-890D-5BB1903F0141} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{87B1EF58-EBFE-43D0-890D-5BB1903F0141} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Colucult => key removed successfully
C:\ProgramData\.rdata => ":X" ADS removed successfully.
C:\Program Files (x86)\Qivethercoqerly => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 7715300 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 30696731 B
Java, Flash, Steam htmlcache => 113116995 B
Windows/system/drivers => 116873492 B
Edge => 136103559 B
Chrome => 155816160 B
Firefox => 384704524 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 159629 B
systemprofile32 => 140 B
LocalService => 2113322 B
NetworkService => 23672 B
ratch => 328978896 B

RecycleBin => 151894398 B
EmptyTemp: => 1.3 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 14:43:05 ====



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:02 AM

Posted 27 April 2017 - 10:05 AM

Has the problem been solved.

#5 ratchet117

ratchet117
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 27 April 2017 - 05:15 PM

I haven't been receIving warnings from malwarebytes so i think it is solved. Thank you for your help


Edited by ratchet117, 27 April 2017 - 06:46 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:02 AM

Posted 28 April 2017 - 06:49 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users